BUILDERS READY
Sign inStart free trial
BUILDERS READY

Privacy Policy

Last updated: 18 May 2026

1. Who we are

Builders Ready is operated by Mehraj Consultancy Ltd ("we", "us", "our"), a company registered in England and Wales with company number 14161216. Our registered office details are on file with Companies House.

For the purposes of UK GDPR, we are the data controller of:

  • Personal data about builder account holders (the people who sign up for a Tenant)
  • Personal data about Project Managers and Clients invited to a Tenant
  • Operational data about how the Service is used

For data uploaded into a Tenant by its builder (photos, project notes, client-specific information beyond the basic profile) we act as a data processor on the builder's behalf. The builder is the controller of that Client Data.

2. Data we collect

From builders

  • Name, email address, password (hashed)
  • Business name, business email, business phone
  • Brand assets: logo, colour preferences
  • Banking details for invoicing (sort code, account number, account name) — used only to display on invoices to your clients; we never debit these
  • VAT and Companies House registration numbers, where provided
  • Payment method information (handled by Stripe — we never see card numbers)
  • Profile photo (optional)

From Project Managers and Clients invited to a Tenant

  • Name, email address, password (hashed)
  • Phone number (optional)
  • Profile photo (optional)
  • Activity on the Service: messages, updates, decisions, signatures, payments marked

Automatically

  • IP address, browser type, device type, mobile push tokens (when relevant)
  • Login timestamps and approximate geographic location
  • Crash reports and error logs (via Sentry)

3. How we use it

We use personal data to:

  • Provide and operate the Service
  • Authenticate you and keep your account secure
  • Send transactional emails (welcome, invitations, billing receipts, password resets)
  • Bill your subscription via Stripe
  • Send notifications about events on your projects (push and email)
  • Diagnose technical issues and improve the Service
  • Comply with legal obligations (tax records, fraud prevention)

4. Lawful basis for processing (UK GDPR)

  • Contract: processing necessary to provide the Service to you under the Terms and Conditions you accepted.
  • Legitimate interest: security, fraud prevention, product improvement, and operational diagnostics. We've balanced these interests against your rights and freedoms.
  • Legal obligation: tax records, response to lawful regulator requests.
  • Consent: where you explicitly opt in (for example, biometric unlock on your phone). You can withdraw consent any time.

5. Who we share data with

We don't sell your data. We share it only with the following sub-processors, which are bound by data protection agreements:

Sub-processorPurposeLocation
SupabaseDatabase, authentication, file storageLondon (eu-west-2)
StripeSubscription billing, payment processingEU + US (adequate safeguards)
ResendTransactional email deliveryEU (Ireland)
VercelWeb hosting and edge deliveryUS-headquartered, EU edge
CloudflareDNS, email routingGlobal; UK/EU PoPs prioritised
Expo (push)Mobile push notification deliveryUS
Apple / GoogleApp Store distribution, push transportGlobal

Where data is transferred outside the UK / EU, we rely on the UK's International Data Transfer Agreement, Standard Contractual Clauses, or adequacy decisions, as appropriate.

6. How we keep data safe

  • Database isolation: Each Tenant's data is gated by Postgres row-level-security policies; users in one Tenant cannot read or write data belonging to another.
  • Encryption in transit: All traffic is HTTPS / TLS 1.2+.
  • Encryption at rest: Supabase encrypts the database; storage buckets are private with signed-URL access.
  • Passwords: hashed using bcrypt by Supabase Auth. We never store or see plaintext passwords.
  • Payment details: handled entirely by Stripe — we never receive card numbers, CVCs or full bank account details for incoming card payments.
  • Backups: Supabase performs daily automated backups, retained for 7 days (free) or 14+ days (paid tier).

7. How long we keep data

  • Account data: while your Tenant is active, plus 30 days after cancellation
  • Backups: rolling 7-30 day window depending on plan
  • Invoicing records: 6 years after the end of the financial year (HMRC requirement)
  • Crash logs: 30 days
  • Marketing emails: until you unsubscribe, then suppression record retained indefinitely so we don't accidentally re-contact you

8. Your rights under UK GDPR

You have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate or incomplete data
  • Erase your data (subject to legal retention obligations like HMRC)
  • Restrict or object to processing
  • Data portability — receive your data in a machine-readable format
  • Withdraw consent where processing relies on consent
  • Complain to the UK Information Commissioner's Office (ICO) at ico.org.uk

To exercise any of these, email us at info@buildersready.uk. We'll respond within 30 days.

9. Cookies

We use a minimal set of strictly-necessary cookies for authentication (so we know who you are after you sign in). We don't use third-party advertising cookies or tracking pixels. Stripe sets cookies when you interact with Checkout — those are governed by Stripe's own privacy policy.

10. Children

Builders Ready isn't directed at children. We don't knowingly collect personal data from anyone under 18. If we become aware that we have, we'll delete it.

11. Changes to this policy

We may update this policy from time to time to reflect changes in our practices or legal requirements. The "Last updated" date at the top of this page shows when. Material changes will be flagged by email to active Tenants.

12. Contact us

Questions about this policy or your data?

Mehraj Consultancy Ltd (Companies House 14161216)
info@buildersready.uk